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Abstract 



Let F be the set of functions from an infinite set, S, to an ordered 
ring, R. For /, g, and h in F, the assertion / = g + O(h) means that 
for some constant C, \f{x) — g(x)\ < C\h(x)\ for every x in S. Let L 
be the first-order language with variables ranging over such functions, 
symbols for 0, +, — , min, max, and absolute value, and a ternary relation 
f = g + 0(h). We show that the set of quantifier-free formulas in this 
language that are valid in the intended class of interpretations is decidable, 
and does not depend on the underlying set, S, or the ordered ring, R. If 
R is a subfield of the real numbers, we can add a constant 1 function, 
as well as multiplication by constants from any computable subfield. We 
obtain further decidability results for certain situations in which one adds 
symbols denoting the elements of a fixed sequence of functions of strictly 
increasing rates of growth. 

1 Introduction 

Let F be the set of functions from any infinite set S to any ordered ring R, and 
let f,g,h,... range over elements of F. The assertion / = O(g), read "/ is big O 
of g," means that there is a constant C such that for every x, \f(x)\ < C\g(x)\. 
More generally, the assertion f = g + 0(h) means that / — g = 0(h); in other 
words, there is a constant C such that for every x, 



Read this as saying that / and g have the same rate of growth up to that of h. 
The notion is used widely in mathematics and computer science as a means of 
characterizing functions and their behaviors. 

Determining the validity of entailments between big O equations involving 
even only linear expressions can be tricky. For example, the entailments 



f{x)-g(x)\<C\h{x) 




and 

f + g = h + 0(k)] 

g = 0(0 \ => f = h+ 0(1) 
k = 0(1) \ 

follow from the definitions above. Proofs in analysis often involve long sequences 
of such calculations based on facts like these. This is the case in analytic number 
theory; infrastructure for big O calculations was needed to support the formal 
verification of an elementary proof of the prime number theorem ^ [3| using the 
proof assistant Isabelle [12] . See also Graham et al. [7] for a helpful overview of 
big O notation and its properties. 

Let L be the first-order language with variables f,g,h,..., symbols for 
0, +, — , min, max, and absolute value, and a ternary relation f = g + 0(h). We 
show that the set of quantifier-free formulas in this language that are valid in the 
intended class of interpretations is decidable, and does not depend on the under- 
lying set, S, or the ordered ring, R. When S itself has an ordering, / — g + 0(h) 
is sometimes read as the assertion that / and g eventually have the same rate of 
growth up to 0(h), that is, that for some C and d, \f(x) — g(x)\ < C\h(x)\ for 
all x > d. We show that this reading of big O equations does not change the set 
of valid formulas. If R is a subfield of the real numbers, we can add a constant 
1 function, as well as multiplication by constants from any computable subfield. 

In fact, we even have decidability in certain situations where we add a se- 
quence of function symbols (g a ), indexed by elements a of a computable ordering 
/, denoting a fixed sequence of functions with strictly increasing rates of growth. 
For example, suppose we are interested in functions from positive integers to 
the real numbers. Consider the set of terms built up from variables and symbols 
for arbitrary products of the fixed functions 

l,...,(logx)V..,xV..e^,..., 

where q and r range over rational numbers, using rational linear combinations, 
min, max, and absolute value (but neither multiplication nor composition). 
Consider the set of Boolean combinations of big O expressions involving these 
terms that are valid when f = g + 0(h) is interpreted as the assertion that / 
and g eventually have the same rate of growth up to O(h). We show that this 
set is decidable. 

In practice, big O reasoning is often used when the terms involve sums 
of functions that take only nonnegative values. Handling this case is somewhat 
easier than the more general one. Our strategy is therefore to deal with that case 
first, and then reduce the general case to the more restricted one. In both cases, 
big O relations are transitive: if r = s + 0(t) and t — 0(u), then r = s + 0(u). 
In the more restricted case, two equations r\ = S\ + O(ti) and r 2 — s 2 + 0(t 2 ) 
entail their sum, r 1 + r 2 = si + s 2 + 0(ti + 1 2 ), and fi + ■ ■■ + fk = 0(t) entails 
fi = 0(t) for each i. Also, a variable need only appear once inside the O; for 
example, 0(f + f) is the same as O(f). Below, we will show, roughly, that all 
valid entailments are obtained in this way. Thus, our decision procedure works 
by using these principles to derive consequences from a set of hypotheses until 
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a saturation point is reached; an equation r = s + 0(t) then follows from the 
hypotheses if and only if r = s is a linear combination of the equations that 
have been determined to hold up to 0(t). 

It should not be difficult to incorporate variants of our algorithms to support 
formal verification with mechanized proof assistants such as ACL2 [TU] , Coq [5] , 
HOL [B], Isabelle [12] . or PVS [13] ■ These algorithms cover a large number 
of straightforward big O inferences that were used to verify the prime number 
theorem. (They do not cover, however, inferences that involve multiplicative 
properties of big O reasoning; see the discussion in Section [SJ) We therefore 
view the questions addressed here as an example of the kinds of interesting 
theoretical issues that can emerge from such efforts, and the resulting algorithm 
as an example of the kinds of domain-specific support that can be useful. 

We are grateful to two anonymous referees for many corrections and improve- 
ments, and to one of them for finding a problem with our initial formulation of 
the results in Section [7] 

2 An axiomatization of positive big O equations 

The simplest version of our decision procedure acts on expressions in the fol- 
lowing language, L, for first-order logic with equality: terms are built up from 
variables fi,f%, ■ ■ ■ and a constant symbol, 0, using a binary function symbol, 
+, and there is one ternary relation in the language, written r — s + 0(t). 

In the intended class of interpretations, the variables range over functions 
/i, /2, . . • from a set S to an ordered semiring, that is, the nonnegative part of 
an ordered ring R. We assume that the ring is nontrivial, so zero is not equal 
to one. The symbol + denotes pointwise addition, denotes the constant zero 
function, and / = g + 0(h) denotes the assertion that there is a C in the ring 
such that |/0) - g{x)\ < C\h{x)\ for all x in 50 

Below we provide a list of axioms, whose universal closures are true for set 
F of functions in the intended interpretation. Here, we are only concerned with 
the quantifier-free consequences of these axioms. By Herbrand's theorem, a 
quantifier-free formula is provable from universal axioms using first-order logic 
with equality if and only if there is a propositional proof of that formula from 
finitely many instances of the axioms, together with instances of equality ax- 
ioms. So, instead of a first-order proof system, we can just as well consider the 
quantifier- free proof system whose nonlogical axioms consist of all the instances 
of the formulas below. 

We will write r — O(s) instead of r = + O(s). In the second-to-last axiom, 
the notation kf abbreviates a sum / + / + ••• + / of k many /'s. The axioms 

1 It is common to define / = O(g) to mean / £ O(g), where O(g) is defined to be the set 
of functions / satisfying Vx (\f(z)\ < C\g(x)\) for some C. The expression / = g + O(h) is 
then defined to mean f — g = 0(h). These definitions are clearly equivalent to the ones we 
have presented. While it can be convenient to use the set formulation when formalizing such 
notions in higher-order logic, the formulations we use have the virtue of being first-order. 

Big O notation also makes sense for functions from a set to an ordered group; see the 
discussion at the end of Section 3] 
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are as follows. 



i- f = g~f = g + o(p) 

2. axioms asserting that + is associative and commutative, with identity 

3. axioms asserting that for fixed h, the relation / = g + O(h) is reflexive, 
symmetric, and transitive 

4. monotonicity: / = 0(f + g) 

5. transitivity: / = g + 0(h) Ah = 0(k) -> f = g + O(k) 

6. linearity: 

(a) h = 9l + 0(h) A h = 92 + 0(h) - h + h = 9i + 92 + 0(h) 

(b) /i + h = 9i + 92 + 0(h) A h =91 + 0(h) -> h = 92 + 0(h) 

(c) for each positive integer k, the axiom kf = kg+0(h) — > / = g+0(h) 

The first axiom implies that the equality symbol can be eliminated in favor of 
equality "up to O(0)." The transitivity axiom asserts that if r = 0(s), then 
any equation that holds up to 0(r) also holds up to 0(s). Thus a relation of 
the form r = 0(s) induces an inclusion on the set of equations that hold up to 
0(r) and O(s), respectively. 

Let us consider some consequences of the axioms. First, monotonicity and 
transitivity imply 

f + g = 0(h)^f = 0(h). 

Intuitively, this is clear, since we have / < f+g. Also, monotonicity, transitivity, 
and the first linearity axiom yield a slightly stronger form of linearity: 

/i = gi + 0(/ii) A h = g 2 + 0(h 2 ) -> /i + f 2 = g x + g 2 + 0(/ii + h 2 ). 

The third linearity axiom then implies that for any positive integers fci , . . . , k m , 

kifi + ...k m f m = 0(f 1 + ... + f m ). 

Of course, we also have /i + . . . + fm = 0(k\f\ + . . . k m f m ). It is convenient to 
express these last two facts by writing 0(fi + . . . + f m ) = 0(k\f\ + . . . k m f m ). 
This means that a rate of growth 0(t) only depends on the variables that appear 
in t, and not the number of times that they occur. 

If / = 0(t), linearity implies s + f = s + 0(t). Thus if s' denotes the result 
of deleting occurrences of / in s, then / = 0(t) implies s = s' + 0(t). This 
means that in an equation r = s + 0(t), all that is relevant are the variables 
appearing in t, and the parts of r and s that do not involve variables in t. In 
other words, if t' denotes the sum of the distinct variables occurring in t, and 
r' and s' denote the result of deleting these variables from r and s, respectively, 
then r = s + 0(t) is equivalent to r' = s' + 0(f). For example, 

3/i + 2/ 2 = 5/ 3 + 0(f 2 + 3/ 4 ) 
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is equivalent to 

3/1 = 5/3 + o(f 2 + U). 

Moreover, / = 0(t) implies 0{t) = 0(t + /). So deriving equations of the 
form / = 0(t) can both enlarge the set of equations that are known to hold 
up to 0(t) by adding any equations that are known to hold up to 0(t + /), 
and simplify equations are that already known to hold up to 0(t) by making / 
irrelevant. Note, finally, that for any term s, f + s = 0{t) implies / = 0(t). 
This means that we can derive equations of the form / = 0(t) by finding a 
linear combinations of equations that are known to hold up to 0(t) that result 
in an equation of the form / + s = 0(t). 

It will be convenient below to work with big O equations of the form 

a X fx + . . . + a m fm = 0(t) (1) 

where a%, . . . , a m are arbitrary rational coefficients. Negative values can easily 
be interpreted away by moving the terms to the other side of the equation; for 
example, 3/i — 2/2 = 0(/s) can be viewed as an abbreviation for 3/i = 2/2 + 
0{f^). Similarly, equations involving fractional coefficients can be understood 
in terms of the result of multiplying through by the least common multiple. Of 
course, for implementation purposes, one should take these equations at face 
value, rather than treating them as metamathematical abbreviations for much 
longer expressions. 

Now suppose we are given a system of equations 

ai,ifi + ... + a i>m f m = 0(t) (2) 

for fixed t and i = 1, . . . ,n. The linearity axioms imply that any linear com- 
bination of the expressions on the left-hand side also has rate of growth 0(t). 
Thus we can use conventional methods of linear algebra to derive new equations 
of the form |T]) . 

3 A combinatorial lemma 

Let us consider where we stand. With helpful notational abbreviations, we 
have focused our attention on formulas of the form {T]) , where the coefficients 
are rational numbers. Without loss of generality, we can assume t is a sum of 
distinct variables, and that these variables are disjoint from fi, . . . , f m . Suppose 
we start with a set of hypotheses and derive a set of equations of the form @ , 
for a fixed t, with i = 1, . . . ,n. We can both enlarge and simplify this set 
of consequences by deriving new formulas f v — 0{t) for v = 1, . . . , m. We 
can do that, in turn, by finding linear combinations of the equations @ that 
yield formulas of the form ([T]) in which each is nonnegative and a v is strictly 
positive for some v. 

In this section, we show that it is algorithmically decidable whether such a 
linear combination of the equations exists. We will also provide a dual char- 
acterization of this condition that will ultimately enable us to show that our 
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decision procedure for quantifier-free big O expressions is complete. The deci- 
sion procedure itself will be presented in the next section. 

Suppose we are given a system of n equations of the form @, where i runs 
from 1 to n. A rational linear combination of the expressions on the left-hand- 
side is an expression of the form 



for some sequence of rational numbers b\, . . . , b n . We would like to know whether 
there is a choice of b\, . . . , b n that makes all the coefficients nonnegative, and at 
least one coefficient strictly positive. 

Let A be the nxm matrix of rational numbers {ai,j}i=i... n ,j=i...m- If we use / 
to denote the vector of variables . . . , /«), and we let /* denote its transpose, 
then the equations @ are just the rows of Af l . If b is the vector (61, ... , b n ), 
then bAp is expression @, and bA is the vector of the m coefficients. 

Lemma 3.1 Let A be an n x to matrix of rational numbers, and let v be any 
index, 1 < v < to. Then the question as to whether there is any vector b = 
(61, ... , b n ) such that bA is nonnegative and the vth element is strictly positive 
is decidable. 

Proof. This is a system of to inequalities in n unknowns, and so the problem 
amounts to determining whether a linear program is feasible. This is easily 
solved using standard linear programming techniques [TJ 114) . □ 

In Section 2J we will use the following dual characterization of the problem. 

Lemma 3.2 Let A be an n x to matrix of rational numbers, and let v be any 
index, 1 < v < m. Then the following two conditions are equivalent: 

1. There is a vector b = (b\, ... , b n ) such that bA is nonnegative, and the vth 
component of bA is strictly positive. 

2. There is no nonnegative vector f = (fi, ■ ■ ■ , f m ) of rational numbers sat- 
isfying Ay = and f v > 0. 

Proof. To see that 1 implies 2, suppose 2 is false. Then there is a nonnega- 
tive vector / = . . . , f m ) of rational numbers with Af l = and f v > 0. 
Then bAf 1 — for every b, that is, the expression Yli=i n ^i a i,ih + ■•• + 
J2i=i n °i a i,mfm is equal to 0. If, on the other hand, 1 holds, there is a b such 
that each term of this expression is nonnegative and the vth summand is strictly 
positive, making the expression strictly positive. Thus if 2 is false, 1 is false as 
well. 

The fact that 2 implies 1, and, in fact, the full equivalence, is a direct con- 
sequence of the duality theorem for linear programming. Consider the following 
two problems: 




(3) 



i—l...n 



2=1, ..71 
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1. Find a vector b maximizing the constant function 0, subject to the con- 
straints bA > (0, 0, . . . , 0, 1, 0, . . . , 0), where the 1 occurs in the vth posi- 
tion. 

2. Find a vector / minimizing — /„, subject to the constraints / > and 
Af = 0. 

By the duality theorem ([Ml Theorem 3.1] or [8l Theorem 8.3.1]), the first 
problem has a solution if and only if the second one does. 

Now suppose there is a b such that each component of bA is nonnegative, 
and the vth component is strictly positive. Scaling b by the reciprocal of the 
vth component, we get a vector b' such that b'A is nonnegative and the vth 
component is greater than or equal to 1. Thus the first problem has a solution 
if and only if condition 1 of the lemma holds. 

On the other hand, Af f — has at least one solution, namely, when / is the 
constant vector. Suppose / is a nonnegative vector such that Af l — and 
/„ is strictly positive. Then any multiple of / also has this property, and the 
multiples of —f v are unbounded. Thus the second problem has a solution if and 
only if for every / satisfying Af l = and / > 0, we have /„ = 0; that is, if and 
only if condition 2 of the lemma holds. So the two conditions are equivalent, as 
claimed. □ 

The following fact will also be useful in proving completeness. 

Lemma 3.3 Let A be an n x m matrix of rational numbers, and suppose for 
every v from 1 to m there is a nonnegative vector f such that Af l = and 
the vth component of f is strictly positive. Then there is a vector f such that 
Af l = 0, and every component of f is strictly positive. 

Proof. For each v, choose a vector f v satisfying the hypothesis. Then the sum 
/ = YlvLi fv 01 these vectors satisfies Af % — J^Li Af* = 0, and every compo- 
nent of / is strictly positive. □ 



4 A decision procedure 

Let L be the language described in Section [2] Let S be any set, let R be any 
ordered ring, and let F be the set of functions from S to the nonnegative part 
of R. Say that a quantifier-free formula in L is valid in F if its universal closure 
holds in F, thai is, if the formula is true for all instances of the variables under 
the intended interpretation. 

Before considering arbitrary quantifier-free formulas, we first consider Horn 
clauses. These are formulas of the form 

ipi A . . . A (p k -> V 

where each ipi and ip is an atomic formula. We will prove: 
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Theorem 4.1 Let L and F be as above. The set of Horn clauses that are valid 
in F is decidable, and do not depend on the choice of S or R. 

In particular, the valid Horn clauses are exactly the ones that hold of the set of 
functions mapping a single element to the natural numbers. 

Now consider any quantifier-free formula in L. Classically, this formula is 
equivalent to one in conjunctive normal form, that is, a conjunction of disjunc- 
tions of literals (i.e. atomic formulas and their negations). A conjunction of 
formulas is valid in F if and only if each conjunct is valid in F, so to provide 
a decision procedure for arbitrary quantifier-free formulas, it suffices to provide 
a decision procedure for disjunctions of literals. But any such disjunction is 
equivalent to a formula of the form 

(pi A . . . A ip k -> ipi V . . . Vipu (4) 

where each tpi and ipj is an atomic formula, this is, a big O equation. If any of 
the implications 

<pi A . . . A ip k -> ipj (5) 

is valid in some F (and so, by Theorem 14.11 in all F's), then clearly 0$ is valid 
in all F's. On the other hand, if there is a counterexample to each equation ((SJ), 
then by Theorem 14.11 there is a counterexample consisting of a function from 
a singleton to the natural numbers. We can combine these I counterexamples 
into a single counterexample consisting of functions from {1, ...,/} to N, where 
each variable / is interpreted as the function that takes the value of the jth 
counterexample on input j. This provides a counterexample to (|4|). Since there 
is no structure on the set S, all that matters is its cardinality; so we have that 
the formula J3} is valid for all F's for which S is sufficiently large if and only 
if each Horn clause © is valid in every F. So Theorem 14.11 has the following 
consequence. 

Theorem 4.2 Let F be the set of functions from any infinite set S to the 
nonnegative part of any ordered ring R. Then the set of quantifier-free formulas 
that are valid in F is decidable, and does not depend on S or R. 

If S is an ordered set with no greatest element, one sometimes finds alterna- 
tive readings of r = s + 0(t) to the effect that the rate of growth is bounded 
eventually, that is, for all suitably large x. (If S has a greatest element, the 
notion degenerates, depending on whether one uses > or > to express "suitably 
large.") Once again, a decision procedure for arbitrary quantifier- free formu- 
las reduces to a decision procedure for Horn clauses. It is not hard to verify 
that if a Horn clause is valid under the original reading, it is valid under the 
"eventually" reading. Conversely, it is not hard to turn a counterexample to 
the original reading where the domain S is is a singleton into a counterexample 
to the "eventually" reading for any ordered S using the corresponding constant 
functions. So we have: 

Theorem 4.3 The set of quantifier-free formulas of L that are valid for every 
set of functions from an ordered set with no greatest element to the nonnegative 
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part of an ordered ring on the "eventually" reading coincides with the set of 
formulas named in Theorem \4-2\ 

Proof of Theorem We will describe an algorithm for determining whether 
a Horn clause is valid, and show that the algorithm behaves as advertised. 
Suppose we are given a Horn clause with variables among /i, . . . , / m . Without 
loss of generality we can assume that the hypotheses are all of the form q = 0(r), 
where q is a rational linear combination of /i, . . . , f m , and r is a sum of distinct 
variables from among /i,...,/ m . We can also assume that the conclusion, 
s = 0(t), is of this same form. Our task is to decide whether the conclusion is 
entailed by the hypotheses. 

For any subset A of {/i, . . . , / m }j it will be convenient to write t A for the 
sum y^f e A fi of the variables in A. Also, if q is a rational linear combination 
of fi, . . . ,f m , it will be convenient to write q[A] for the result of setting the 
coefficient of fi to zero for each fi in A. We saw in the previous section that 
for any s and t, if A is the set of variables occurring in t, then s = 0(t) is 
equivalent to s[A] — 0(t A ). Also, if the indices of the variables of r are all in 
A, then q — 0(r) entails q = 0{t A )i which is equivalent to q[A] — 0(t A ). 

The algorithm is as follows: 

Set A equal to the set of variables occurring in t. 
Repeat: 

Let Q be the set of terms q[S] where q — 0(r) is a hy- 
pothesis and the variables of r are all in A. 
For each /„ e {fx, f m } - A: 

If there is a rational linear combination of ele- 
ments of Q with nonnegative coefficients and pos- 
itive vth coefficient, add f v to A. 

until no new indices are added to A. 

Let Q be the set of terms q[S] where q — 0(r) is a hypothesis and 
the variables of r are all in A. 

If s[A] is a linear combination of elements of Q, return "true," else 
return "false." 

We start by setting A to be the set of variables occurring in t, so 0(t) = 
0(t A ). At each pass through the outer loop, we try to augment A while main- 
taining 0(t) = 0{tA). Suppose we have a hypothesis q = 0(r), where the 
variables of r are all in A. Then r = 0(t A ). By transitivity, we have q = 0(tA), 
which is equivalent to q[A] — O(^a)- Thus we let Q be the set of terms q[A] 
corresponding to such r. Then any linear combination of elements of Q also 
has order of growth 0(t^). If some such linear combination has nonnegative 
coefficients, and the coefficient of f v is strictly positive for some v, then we know 
the f v = Q(t A ). This implies 0(t) = 0(t A ) = 0(t A + f v ) = 0(t Au{fv} ), and 
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we add f v to A. The outer loop terminates when we can no longer derive new 
expressions of the form f v = 0(£a)- 

Once we have left the outer loop, we will have 0(t) = O(t^), and we once 
again let Q be the set of terms q[A] such that we have r = 0(tA)- If s is 
a linear combination of terms in Q, then s = OitX) = 0{t). Thus we have 
shown that s = 0{t) is a consequence of the hypothesis in any of the intended 
interpretations, and we return "true." Otherwise, we return "false." 

All we have left to do is to show that if the algorithm returns "false," then 
there is a counterexample in the set of functions F from any set S to the nonneg- 
ative part of any ordered ring, R. In fact, we will construct a counterexample 
where S = {*} is a singleton and R is the integers. Thus our counterexample 
amounts to assigning a nonnegative integer to each variable fi. In that case, an 
expression of the form s — 0(t) comes out true if and only if t is nonnegative, 
or t = and s = 0. Conversely, s — 0{t) comes out false if and only if t = and 
s is strictly positive. Since every ordered ring contains a copy of the natural 
numbers and one can take the corresponding constant functions for any set S, 
this provides counterexamples for every S and R, simultaneously. 

We now describe the assignment of nonnegative integers to the variables /j. 
Let A be the set of variables at the termination of the outer loop. For each fa 
in A, set fi = 0. 

We still have to assign values to the variables fi that are not in A. Let Q be 
the set of expressions q[A] such that q = 0(r) is one of the hypotheses and the 
variables of r are in A. Since the outer loop terminates with that value of A, 
by Lemma [3731 we know that there is an assignment of strictly positive rational 
values Ci to each variable /, not in A making each q[A] equal to 0. Scaling 
these, we can assume that each a is a strictly positive integer. Also, since s[A] 
is not a linear combination of the expressions in Q, by linear algebra there is an 
assignment of rational values di to variables fi not in A making each q[A] equal 
to zero and s[A] nonzero. Scaling again, we can assume that the values of di 
are integers. 

Suppose the value of s[A] under the assignment of the Cj's is x and the value 
of s[A] under the assignment of the di's is y. Since the Cj's are strictly positive 
and y is nonzero, we have that for sufficiently large integer e, assigning eci + di 
to fi will make /{ strictly positive. In that case, each q[A] gets the value 0, and 
s[A] gets the value ex + y. Because y is not zero, we can choose e such that in 
addition ex + y is not equal to 0. So we choose such an e and assign each fi the 
value eci + di. 

We need to show that with the assignment of values to the fa's that we have 
just described, each hypothesis q = 0(r) comes out true, while s = 0(t) comes 
out false. First, note that if any variable of r is not in A, then r is strictly 
positive, and q = 0(r) is true. Thus we only have to worry about hypotheses 
q = 0(r) where q[A] is one of the expressions in Q. In that case, our assignment 
of values to /j's not in A ensures that q[A] has value 0, and since we have 
assigned zero to the other /j's, we have q — q[A]. Thus each such q has value 0, 
and since = O(0), the hypotheses are satisfied. 

On the other hand, since the variables of t are all in A, t has a value of 
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under the assignment. We have also ensured that the value of s[A], and hence 
the value of s, is strictly positive. Thus, under the assignment, s — 0(t) is false, 
as required. □ 



Note that the inner loop repeats at most m times, where m is the number 
of variables occuring in t. The bottleneck therefore occurs in testing the satis- 
fiability of the system of linear inequalities in the inner loop. This can be done 
using standard linear programming techniques [TJ[T3]. Karmarkar's algorithm 
[5], for example, solves such problems in time 0(n 3 5 L lni In 2 L), where n is the 
number of variables, and L is the length of the input. This shows that, at least 
in principle, our algorithm can be made to run in polynomial time. In practice, 
we expect that a simple-minded algorithm like the Fourier-Motzkin procedure 
[1] will work quite well, despite the fact that it can run in double-exponential 
time in the worst case [16]. Other methods, such as Dantzig's simplex method 
[14] or Weispfenning's "test point" method [HJ[l5], are further options. 

We have implemented, in ML, a prototype version of the algorithm just de- 
scribed, based on the Fourier-Motzkin test. We have confirmed that it does well 
on natural examples: on a Pentium M 1.6 GHz processor, our implementation 
decides examples with on the order of five or six variables, like the ones in the 
introduction, in under 20 ms (which is about the limit of our timer's precision). 

Note that if R is an ordered group instead of an ordered ring, there is still 
an action of Z on R, taking kx to be a sum x + . . . + x of k many x's. Big 
O notation even makes sense in this setting, if one interprets the constant C 
as an element of Z. The axioms of Section [2] are still valid, and the decision 
procedure above still works. When R is a subfield of the real numbers, the two 
interpretations coincide. 

In the other direction, when R is a field, it makes sense to include mul- 
tiplication by arbitrary rational constants in the language. Since the duality 
principle from linear programming holds for any subfield R of the real numbers, 
the procedure also works for such R when we allow multiplication by constants 
from any computable subfield, that is, function symbols c a (f) = af, for each 
such a. 

It is not hard to see that the axioms described in Section [5] are sufficient to 
prove any entailment that our procedure sanctions as valid. This yields: 

Theorem 4.4 The set of quantifier-free formulas of L valid in the intended 
class of interpretations is equal to the set of quantifier-free consequences of the 
axioms in Section^ 

If we add multiplication by constants, it suffices to add the obvious identities, 
like c a (f + g) = c a (f) + c a (g), and so on. 

5 Handling negative values 

The absolute value function is defined on any ordered ring by setting \x\ = x if 
x > 0, and \x\ — —x otherwise. This can be lifted to functions from a set to an 
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ordered group by defining |/| to be the function mapping x to for every 

x. 

Let us now extend the language L of Section[2]to a language L' where we add 
subtraction and absolute value, and now take the function variables to range 
over functions from a set S to an arbitrary ring R. The functions min and max 
can then be defined by the following equations: 



Since |/| is always a nonnegative function and any nonnegative function can 
be expressed in this way, the decision procedure in the previous section can be 
viewed as working with the fragment of the language with only addition, and 
where variables are replaced by expressions of the form |/|. Our goal now is to 
show that the procedure extends to the full language. 

Theorem 5.1 Let F be the set of functions from any infinite set S to any 
ordered ring R. Then the set of quantifier-free formulas of L' that are valid in 
F is decidable, and does not depend on the choice of F. 

As before, if R is a sub field of the reals, we can extend the language with 
multiplication by constants in any computable subfield. 

When functions can take on positive and negative values, the task of de- 
termining what is valid becomes more subtle. The expressions f\ — 0(g) and 
fi = 0(g) still entail f\ +/2 = 0(g), but it is no longer necessarily the case that 
/ = 0(gx) and / = 0(g 2 ) entail / = 0(51 + g 2 ), or even that g x = 0(g x + g 2 ) 
generally holds: consider the fact that g 2 might be —g±. But if / is any function, 
we can subdivide the domain S into a set Sq where the value of / is nonnegative 
and a set S\ where the value of / is nonpositive. In fact, we can do this for all 
terms appearing in an expression, creating a partition of S such that on each 
element of the partition the signs of the terms do not change. A big O equation 
will hold if and if it holds on each segment of the partition, and we can use this 
observation to reduce the problem to that which we solved in Section [4j 

In order to spell out the details, we will rely on the following lemma. We 
will use variables a, f3, 7, . . . to range over nonnegative functions, which can be 
thought of as expressions of the form \a\, \b\, |c|, . . ., where a, b, c, . . . are ordinary 
variables of L' . From now on we assume we are dealing with functions from an 
infinite set S to an ordered ring R. 

Lemma 5.2 Let tp(f) be any quantifier-free formula in the language of L' . 
Then (f(f) is valid if and only if f(a) and ip(—a) are both valid, where a is 
a new variable ranging over nonnegative functions. 

Proof. Clearly if f(f) is valid then it holds whenever / is nonnegative or non- 
positive, so ip(a) and ip(— a) are both valid. To verify the converse, as in the 
previous section, we only need to consider Horn clauses 



min(/, 9) 
max(/, g) 



(f + 9-\f 
(f + 9+\f 



9\)/2 
9\)/2 



f\q t = 0(r t )^s = 0(t). 
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50, suppose for some assignment of variables, including the expression above is 
false. Then each qi = O(r-j) is true for this assignment, but s — 0{t) is false. Let 
So be the elements of S where / is nonnegative, and let Si be S — So- Then each 
hypothesis q. t — 0{ri) remains true when the functions are restricted to So and 

51, respectively. Since s = Oit) is false, it must be false of the restrictions of 
the functions to either So or Si. As in the previous section, this counterexample 
on an Si can be turned into a counterexample with domain S just by picking 
an element x in Si and setting f(y) — f(x) for y in S — Si. But now / is 
either nonnegative or nonpositive, providing a counterexample to either ip(a) or 
tp(-a). □ 

We now describe a procedure for transforming a formula tp involving variables 
/l) • • • i fm into a formula ip' involving only variables ai, . . . , afc, such that the 
absolute value function does not occur in ip', and such that ip is valid if and only 
if ip' is. In an expression s = 0(t) in tp', s may be a rational linear combination of 
variables, but that can be understood according the the conventions of Section^ 
t will always be a variable, a. Thus the decision procedure in Section [3] applies 
to If' . 

First, in ip, replace every atomic formula s — 0{t) by s — 0{\t\). Clearly, 
this does not change the interpretation of the formula. 

Now, iteratively, for each expression \t\ occurring in tp, introduce a new 
variable h, add the hypothesis h — t, and replace by t by h in if. Do this with 
the innermost occurrences of t first, so we are left with a formula of the form 



where the absolute value function does not occur in any U, and occurs only in 
the form \hi\ in ip. 

The result is a formula involving the original variables fx, ■ ■ ■ , f m °f an d 
new variables hi, . . . , h n . By Lemma l5.2[ this formula is valid if and only if so is 
the conjunction obtained by substituting all combinations ±ai, . . . , ±a m -|_ n for 
these variables. Replace | ± ctj\ by aj, and call the resulting formula if' . Then 
ip' has the requisite form, and we are reduced to Theorem 14.21 □ 

It is instructive to see how this procedure works on particular examples. For 
example, one attempts to verify / = 0(f + g) by considering / = 0(\f + g\), 
and then, in turn, h = f + g — > / = 0(|/i|). This last formula is valid if every 
substitution of ±a, ±/3, and ±7 for /, g, and h, respectively, yields a valid 
formula. But if we substitute a, —(3, and 7, we get 7 = 0; — (3 —> a = 0(7). 
This is equivalent to (3 + 7 = 0(7), which is not generally valid. 

Because the procedure involves iterating case splits, the algorithm runs in 
exponential time. We do not know whether this upper bound can be improved. 
In situations where the signs of subterms are constant and can be determined, 
however, such splits can be avoided. 
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6 Handling constant functions 



In this section, we suppose we are dealing with the set F of functions from a set 
S to an ordered field R where there is at least one function, G*, that does not 
have constant rate of growth; i.e. such that 1 = 0(G*) but G* 7^ O(l), where 1 
denotes the constant function returning one. For example, on functions from N 
to K we can take G*(x) = 1 + x; in general, we can find such a function as long 
as there is a cofinal subset of R that has cardinality at most that of S. 

We have not included a symbol for the constant function 1 in the language 
of L. We can obtain some of the expressions that are valid in the extended 
language by using a variable gx in place of 1 , and then checking the validity of 

gx + O(0) <p, (6) 

where ip is any quantifier- free formula involving gx and other variables fx, ... , f m . 
If this expression is valid, then clearly tp is valid when gx is interpreted as 1. 
In this section we will show, surprisingly, that the converse holds, i.e. that all 
valid entailments arise in this way. 

Theorem 6.1 For any quantifier-free formula tp in the language V , tp is valid 
when g\ is interpreted as the constant function 1 if and only if the formula 

gi ? 0(0) ip 

is valid. 

As a result, our decidability results hold for the extension to the the language 
L' with a symbol to denote the constant one function. (In structures where 
/ = O(l) holds for every /, a straightforward variation of the decision procedure 
works.) 

Proof. As before, it suffices to prove the theorem for Horn clauses and the lan- 
guage L, where the variables are assumed to range over nonnegative functions. 
Suppose tp is a Horn clause of the form /\qi = Ofc) — ► s = 0(f), involving 
variables fx, . . . , f m and gx . The formula gx ^ 0(0) ^ (p is equivalent to 

f\ <ft = 0(r % ) -f 91 = 0(0) V s = 0(t). 

If ip is not valid, then our algorithm returns "false" on both 

f\ qi = o( n ) ^ 9l = 0(0). 

and 

/\q t = 0(r t ) ^ s = 0(t). 

We will show that from this outcome on both runs, we can construct a coun- 
terexample to ip where gx is interpreted as 1. 

Since the algorithm returns "false" to the first query, we know from Section[4] 
that there is an assignment of rational values ci, . . . , c m , u to fx, ...,/,„, gx mak- 
ing the hypotheses true, but gx ^ 0. Scaling, we can assume that u = 1. Let 
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A be the set of variables that have been accumulated by the end of the main 
loop. Then A is the set of variables / such that / = O(0) has been determined 
to be a consequence of the hypotheses; that is, the set of symbols / such that 
we have / = 0. We have that c/0 for each fi that is not in A. 

Since the algorithm returns "false" to the second query, we know that there 
is an assignment of rational values to di, . . . , d m , v to /i, . . . , f m , g± making the 
hypotheses true, and the conclusion s = 0(t) false. In other words, t has a 
value of 0, and s has a nonzero value, under the assignment. Let B be the set 
of variables / such that / = 0(t) has been determined to be a consequence of 
the hypotheses by the end of the second algorithm. Note that B includes A: if 
/ = O(0) is a consequence of the hypotheses, then so is / = 0{t). 

Now there are two cases, depending on whether g\ is in the set B at the 
end of this second run. If it isn't, then g\ — 0{t) is not entailed by the hy- 
potheses. In that case, we can proceed as in Section 0] The value v assigned 
to gi is strictly positive, so we can scale the assignment so that v = 1. Assign- 
ing fx, . . . , f m , <7i the constant functions that return d±, . . . , d m ,v provides the 
desired counterexample. In this case, we just discard the values Ci, ... ,c m ,u 
obtained from the first run of the algorithm. 

Otherwise, the value v assigned to g\ by the second run of the algorithm 
is 0, which is to say, g\ = 0(t) is a consequence of the hypotheses. In that 
case, we will construct a counterexample by assigning functions that are O(l) 
to variables / in A, that is, the ones that are required to have rate of growth 
0(t); and we will assign functions that are 0(G») to the rest. Specifically, for 
each i, assign the function G?iG* + cj to the variable fi, and assign the function 
1 = i>G* + u to gi. 

Let us show that this works. Consider a hypothesis q — 0(r). If r involves 
any variable fi not in B, then the value of r is 0(G*), and the hypothesis is 
automatically satisfied, because all the functions have growth rate less than or 
equal to 0(G„). 

Otherwise, every fi occurring in r is in B. Suppose for at least one fi 
occurring in r, fi is not in A. Then the value of r is a nonzero constant function. 
In that case, the value of the constant terms of the functions assigned to the 
variables fi is irrelevant as to whether the equation is satisfied; all that matters 
are the coefficients di of G*. But these were chosen by the second run of the 
algorithm so that all these hypotheses are satisfied. 

We are left with the case where all the variables occurring in r are in A. In 
this case, O(r) = O(0) under the assignment. The value of constant term of q 
under the final assignment is equal to the value of q under the assignment of 
c\, . . . , c m , u to the variables, and these values were chosen by the first run of 
the algorithm to ensure that this is equal to 0. The value of the coefficient of G* 
in q under the final assignment is equal to the value of q under the assignments 
of d\, . . . , d m , v to the variables, and these values were chosen by the second run 
of the algorithm to ensure that this is equal to 0. Thus q is equal to under 
the final assignment. 

Finally, we only need to show that s — 0(t) comes out false under the 
assignment. But we assigned values to the variables of t so as to ensure that t 
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has value at most O(l), while at the same the values of d±, . . . , d m guarantee 
that s 7^ 0(t), and so s ^ 0(t), as required. □ 



7 Handling an increasing sequence of functions 

We now strengthen the result from the previous section. Write / -< g if / = 0(g) 
and g ^ 0(f). Let F be the set of functions from a set 5 to the nonnegative part 
of an ordered ring R, and suppose Gi, . . . , Gk, G* are any nonnegative functions 
satisfying 

-< Gi ■< G 2 ■< • • • -< G k ~< G» 

Suppose we expand our language with function symbols g\, . . . ,gk, intended to 
denote G\, . . . ,Gf.. We will now show that when we are dealing with Horn 
clauses and the function variables are assumed to range over F, once again, the 
obvious strategy for testing validity turns out, surprisingly, to be complete. In 
this case, the functions that take negative values and arbitrary quantifier-free 
formulas requires some additional hypotheses. We will therefore deal with the 
simpler case first. 

Theorem 7.1 Fix S, R, F , and Gi, . . . , Gk as above. A Horn clause ip is valid 
when the variables range over F and gi, . . . , gk are interpreted as G\, . . . , Gk, 
respectively, if and only if 

Q<gi<g2<.-.<gk^v (7) 
if valid in the sense of Theorem \4-l\ 

Thus, we can decide the validity of big O entailments relative to any sequence 
of nonnegative functions with strictly increasing rate of growth, and the results 
do not depend on which ones we use. Now, suppose g a is any set of symbols 
indexed by a computable linear ordering /. Since any formula can only use 
finitely many of them, we have the following: 

Corollary 7.2 Let F be any set of functions from an infinite set S to an the 
nonnegative part of an ordered ring, R. Let {G a } be any set of functions in F, 
indexed by a computable linear ordering I, such that G a -< Gp whenever a < /3. 
Consider the language L' with constants g a to denote the functions G a . Then 
the set of Horn clauses valid in the structure {F, . . . , G a , . . .) is decidable, and 
does not depend on the structure chosen. 

Clearly if formula |(7j) of Theorcm l7.1l is valid, then ip is valid when gi, ■ ■ ■ ,gk 
are interpreted as G\, . . . , Gk- We need to show the converse, i.e. that of for- 
mula (|7|) is false, we can construct a counterexample to ip with the same inter- 
pretations of <7i, . . . , <?fe. The following lemma will facilitate our task. 
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Lemma 7.3 Let tp by any quantifier-free formula in L. Let f and g be any 
variables occurring in tp. Then ip is valid if and only if the formula 

(f = 0(g)Vg = 0(f))^tp 

is valid. 

Note that here we are dealing with formulas in L, not L' , and validity in the 
sense of Theorem 14.11 The proof is virtually identical to that of Lemma 15.21 
given any interpretations for / and g, we can divide the domain S into the set 
Sq on which \f(x)\ < \g(x)\, and the complementary set Si = S — So- 
Proof of Theorem \ 7. 1\ Let tp be a Horn clause in the language L', of the form 

/\ qi = 0( ri )^s = 0(t). 

Formula ||7j) is equivalent to 

Aft = %i+i)AA?i = °(^)^ 

gi = O(0) V g 2 = 0(1) V . . . V g k = 0( 5fc _i) V s = 0(t). (8) 

On the assumption that this is not valid, we need to construct a counterexample 
with the desired interpretations of g\, . . . ,g k - We can introduce new variables to 
name s and i, and so assume without loss of generality that s and t are variables 
themselves. Using Lemma l7.3[ we can assume that for every pair of variables / 
and 5, either / = O(g) or g — O(f) are among the hypotheses of tp. 

With this useful simplification, the argument now follows a line of reasoning 
similar to that used in Section [6] Since formula (jSj) is not valid, running the 
algorithm on each of the k + 1 disjuncts returns "false." From the first k runs 
of the algorithm we get sets of variables 

Ao c At C ... C A k _ x , 

where a variable / is in Ao if and only if / = is a consequence of the hypotheses, 
and for i = 1, . . . , k — 1 a variable / is in A, if and only if / = 0{gi) is a 
consequence of the hypotheses. In particular, for i = 1, . . . , k — 1, gi is in A4 
but not Ai-\. We also get assignments c°, . . . , c fe_1 of rational numbers to the 
variables in such a way that for each i: 

• the assignment c l satisfies all the hypotheses; 

• c 1 assigns to variables in A,; and 

• c 1 assigns strictly positive values to variables not in Aj. 

For notational uniformity, we tack one more set onto the end of the sequence: 
let Ak be the set of all the variables in tp, and let c k be the assignment that 
assigns to every variable. 

From the last run of the algorithm we get a set of variables B that includes 
t but not s, and an assignment d to the variables such that: 
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• d satisfies all the hypotheses; 

• d assigns a value of to all the variables in B; and 

• d assigns a strictly positive values to variables not in B. 

Now there are three possibilities. Either B contains but not gi, or for some 
i = 1, . . . ,k — 1, B contains gi but not gi+i, or B contains gi for every i. By the 
assumption that ip fixes an ordering on the rates of growth of the variables, in 
the first case, we have B C A\\ in the second case, we have j4j_i CSC A i+1 ; 
in the last case, we have A^-i C B. In the first case, replace Aq by B and the 
assignment c° by d; in the second case, replace Ai by B and the assignment c l 
by d; in the third case, replace Ak by B and the assignment c k by d. Then the 
sets 

AoCi 1 C...C4 
and the assignments c° , c 1 , . . . , c k have the following properties: 

• is in Aq, but not A\. 

• For each i = 1, . . . , k, gt is in Aj, but not ^4,_i. 

• For some i < k, t is in Aj, and s is not in Ai. 

• For each i = 0, . . . , k: 

— c 1 assigns a value of to all variables in A^; 

— c 1 assigns a strictly positive values to variables not in Af, 

— c 1 satisfies all the hypotheses q = 0(r) of tp; in other words, q = 
q[Ai] = whenever r is under the assignment. 

We will assign functions to the variables /i, . . . , fk, gi, ■ ■ ■ , g m so that: 

• for each i = 1, . . . , m, gi is assigned the value Gf, 

• each variable in A is assigned 0; 

• for each i — 1, . . . , k, each variable / in Ai but not Ai^\ is a assigned a 
function that is 0(Gi) but not (9(Gi_i); 

• each variable not in Ak is assigned a function that is 0(G») but not 0(Gk); 
and 

• all the hypotheses of if are satisfied. 

These conditions imply that for some i, t = 0(Gi) but s ^ 0(Gi), sos^ 0(t) 
under the assignment, as required. 

Let Hi, ... , Hk be functions from S to R having the same rate of growth as 
Gi, . . . , Gk- For the moment, this is all we assume about Hi, ... , Hk', we will 
choose particular values for these functions soon. For each assignment d, let 
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c l (f) denote the rational number assigned to the variable /. To each variable 
/, we assign the function 

c°(/)#i + c\f)H 2 + c 2 (f)H 3 + ... + c k ~\f)H k + c k (f)G*. 

It has not hard to see that this assignment gives the variables the orders of 
growth claimed. 

Let us show that the hypotheses of <p are satisfied under the assignment. Let 
q = 0(r) be one of these hypotheses. If r has a function symbol that is not in 
Af., then G» = 0(r), and q = 0(r) is satisfied immediately. Otherwise, let i be 
the largest index such that r has a variable in Ai. Then Hi = 0(r), and all that 
matters are the coefficients of -f/i+i, . . . , iffc, G* in q; in other words, all that 
matters are the coefficients of q[Ai\. But since all of the variables of r are in 
Ai, the assignments c l+ , . . . , c k were chosen to ensure that all the coefficients 
of ifj+i, . • • , Hk, G* in q[Ai] are 0, as required. 

We only need to choose Hi , . . . , Hf. so that gi , . . . , g k receive the values 
Gi, . . . , Gfc. But because, for each i, gi is in Ai but not A4—1, gi is assigned a 
value of the form 

CLi,iH\ + ai,2Hi + . . . + a^i-ffi, 

where each coefficient is strictly positive. Set each of these values to the cor- 
responding Gi] now it is not hard to see that we can iteratively solve for Hi 
in terms of G;, and that each Hi will be an expression involving Gi, . . . , Gj in 
which Gi has a nonzero coefficient. Thus, for this choice of H\, . . . , H k , all the 
conditions are satisfied, and we have the desired counterexample. □ 

In order to extend the decision procedure above to arbitrary quantifier-free 
formulas, we need to be able to combine counterexamples, as in the discussion 
at the beginning of Section|H And to extend the decision procedure to functions 
that also take negative values, we need an analogue to Lemma I5T21 whose proof 
relied on the ability to extend a counterexample on a subset of the domain. 
Once we fix functions Gi, G2, . . . , Gfc, however, both these requirements are 
problematic, unless we impose further assumptions. For example, the assertion 
d -< Gj only describes the global behavior of d and Gj , leaving the possibility 
that additional information is encoded in the set of values x where Gj(x) < 
Gi(x). 

We will henceforth assume that S carries a linear ordering, <, and has no 
greatest element. If A and B are subsets of S, we will say that A is cofinal in B 
if for every b in B, there is an a in A such that a > b. Note that if A is cofinal 
in B and B is cofinal in G then A is cofinal in G, and any set cofinal in S is 
infinite. We now impose the following additional restrictions: 

• We read / = 0(g) as the assertion that / is eventually O(g), that is, for 
some C and y G S we have Vx > y (|/(x)| < C\g(x)\). 

• We assume that the relationships 

-< Gi -< G 2 -< . . . -< Gfc -< G* 
also hold of the restrictions of the Gj's to any cofinal subset of S. 
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The second clause says that, in a sense, the relationships between the Gj's is 
robust. This clause is clearly satisfied by the functions given in the example in 
Section [TJ We now show that these restrictions are enough to ensure that an 
analogue of Lemma HT21 holds for Horn clauses. 

Lemma 7.4 Let S and G\, . . . , Gk, G* be as above, and let <p(f) be any Horn 
clause in L' . Then <p(f) is valid for interpretations where the variables range 
over functions from any cofinal subset of S to R, and gi , . . . , are interpreted 
as the corresponding restrictions o/Gi, . . . , Gk, respectively, if and only if if (a) 
and ip{—ct) are both valid for the same class of interpretations, with a restricted 
to range over nonnegative functions. 

Proof. If <p(f) is valid, then so are f{a) and (p(— a), so we only need to prove the 
converse. Let <p(f) be the Horn clause f\qt — 0(f*j) — » s — 0(t), and suppose 
tp(f) is not valid. Fix a counterexample, which therefore makes each equation 
qi = 0(ri) true and s — 0(t) false for some cofinal subset S' of S. Let So be the 
set of elements x in S' such that f{x) is nonnegative, and let S\ = S' — Sq. The 
fact that s = 0(t) is false on S 1 means that it is false of the restriction to either 
Sq or Si. Since we are using the "eventually" reading of big O, we can further 
assume that this Sj is cofinal in S' , and hence cofinal in S. Thus we have a 
counterexample to the validity of tp(a) or a counterexample to the validity of 
<p(— a), as required. □ 

By the reductions in Section [5l we therefore have the following: 

Theorem 7.5 Given S,R,F, and Gi, . . . , Gk as above and the "eventually" 
reading of the big O relation, the set of Horn clauses of L' valid in this inter- 
pretation is decidable. 

Recall that every ordered ring R contains a copy of the natural numbers. To 
extend our decision procedure to arbitrary formulas, we impose the following 
additional restrictions: 

• The image of N is cofinal in R. 

• There is a countable cofinal subset of S. 

Note that both these restrictions hold when R and S are any of the sets Z, Q, 
or E. 

Lemma 7.6 With the additional assumptions above, any formula cp of L' of 
the form 

rn 

/\qi = 0{n)^\J ai =0(ti) 

3=1 

is valid if and only if each formula 

/\q i = 0(r i )^s j = 0(t j ) 
is valid for each j = 1, . . . , m. 
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Proof. Suppose we are given a counterexample to the formula /\ qt — 0(ri) — > 
Sj = 0(tj) for each j = 1, . . . , m. We need only show how to amalgamate these 
counterexamples. Since Sj = 0(tj) is false in the jth counterexample for each 
j = 1, . . . , m, we can choose, for each n G N , an element Xj. n in S such that 

I j ,ro ) | ^* ^ " lA? (^i, 71 ) ! 

is satisfied under that interpretation. Since we are using the "eventually" read- 
ing of big O and assuming there is a countable cofinal subset of S, we can further 
assume that for each j, the sequence (ij, n ) n gw is increasing and cofinal in S. 
We can then thin out these sequences, deleting elements that are duplicated, to 
ensure that they are disjoint. 

Now define a new interpretation by interpreting each function symbol accord- 
ing to the jth counterexample on the sequence (xj, n ) n ^, and, say, according to 
the first counterexample on all the other elements of S. Then this interpretation 
will still satisfy qi = 0(ri) for each i, since each of the counterexamples does. 
But for each j, we have guaranteed that Sj = 0(tj) is false, since for any y in 
S and n in N we have guaranteed that |sj(x)| > n ■ \tj(x)\ for some x > y. □ 

Thus, by the observations at the beginning of Section [4] we can extend 
decidability from Horn clauses to arbitrary quantifier-free formulas. 

Theorem 7.7 Given 5 1 , R, F, and G\, . . . , Gk satisfying the additional restric- 
tions above, and the "eventually" reading of the big O relation, the set of 
quantifier-free formulas of L' valid in this interpretation is decidable. 

8 Questions 

There are a number of interesting theoretical puzzles, as well interesting prag- 
matic challenges, that remain. 

We have restricted our attention to linear terms. A number of useful big O 
identities hold of terms involving multiplication and composition of functions 
(see [2JIZ]). We do not know, for example, whether the quantifier- free fragment 
of the language is decidable in the presence of multiplication. Nor do we know 
whether anything useful can be said about composition. 

Our handling of constant functions in Section [B] presupposed that the range 
of the set of functions is an ordered field. We do not know, for example, whether 
the linear theory of big O equations involving functions from N to Z is decidable 
when we include the constant function 1, or even whether the set of validities 
described in Section [6] is complete. 

We also do not know whether the full first-order theory of the linear fragment 
of big O reasoning is decidable. In practice, however, this theory does not seem 
to be very useful. 

Even in cases where the full theory is undecidable, we suspect that there 
are reasonable procedures that capture most of the inferences that come up in 
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practice, and do so efficiently. We are fortunate that the simple decision pro- 
cedure we provide here seems to be pragmatically useful as well. In general, 
although clean decidability and undecidability results provide a useful sense of 
what can be done in principle, when it comes to formal verification, it is equally 
important to find principled approaches to developing imperfect methods that 
work well in practice. (See, for example, [I] for a study of heuristic proce- 
dures for inequalities between real valued expressions that is motivated by this 
philosophy. ) 
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